News

Mexico's new Federal Data Protection Law: What it means for companies

25 March 2025

On March 20, 2025, the new Federal Law for the Protection of Personal Data held by Private Parties (LFPDPPP of 2025) was published in the Official Gazette of the Federation. The LFPDPPP of 2025 entered into force on March 21, 2025 and abrogates the homonymous law published in 2010.

As a consequence of the disappearance of the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), the LFPDPPPPP of 2025 establishes that the material and financial resources of the INAI will be transferred to the Ministry of Anti-Corruption and Good Governance, which becomes the new authority in charge of personal data protection. This Secretariat will have the purpose of disseminating knowledge about the right to personal data protection, promoting its exercise, and monitoring compliance with the applicable provisions. Proceedings pending before the entry into force of the LFPDPPP of 2025 before the INAI will continue to be addressed in accordance with the regulations in force at the time of their initiation, but now they will be handled by the Ministry of Anti-Corruption and Good Governance.

Changes introduced by the LFPDPPP of 2025

It modifies the definition of data controller, stating that this will be any individual or legal entity that processes personal data, without the need to make decisions about such processing, significantly expanding the universe of obligated parties to include data processors.
In relation to the comprehensive privacy notice, it eliminates the obligation to inform about personal data transfers and incorporates new requirements, such as detailing the personal data that will be processed, identifying sensitive data, and distinguishing between purposes that require consent and those that do not.
It modifies the content of the simplified privacy notice, which must now include the identity and address of the controller, the personal data processed with express mention of sensitive data, the purposes of the processing, indicating which require consent, and the means available to limit the use or disclosure of the data, in addition to indicating the site where the comprehensive notice may be viewed.
It redefines the concept of public access source, establishing that only those databases, systems or files that, by law, may be publicly consulted without any regulatory impediment, and expressly excluding those containing information obtained unlawfully, will be considered as such.
It broadens the exceptions to the consent of the data subject, allowing that consent is not required when a legal provision so provides, including regulations and administrative circulars.
It formally introduces the concept of 'retention period' and establishes that personal data must be deleted only after this period has elapsed and after having been previously blocked, when they are no longer necessary for the intended purposes.
It reinforces the duty of confidentiality, obliging the controller to implement controls or mechanisms to ensure that all persons involved in processing personal data, including employees, processors and third parties, maintain such confidentiality even after the termination of the legal relationship.
It formally introduces that the right of access includes that data subjects know not only that the controller possesses their personal data, but also the conditions and generalities of the data processing, which must be available in the privacy notice. It establihesas well as that the right of rectification allows the data subjects to request the correction of personal data that are not only inaccurate or incomplete, but also those that are not updated.
It incorporates new causes to exercise the right of opposition. In addition to the legitimate cause, individuals may oppose when their data is subject to automated processing that produces adverse legal effects or significantly affects their rights or freedoms. It also clarifies that this right does not apply if the processing is necessary to comply with a legal obligation.
Modifies the form requirements for exercising ARCO rights, establishing that the specific right to be exercised or the specific request must be indicated, and expressly distinguishing between the identity of the data subject and the legal representation of a third party.
Establishes more detailed guidelines for the presentation, attention and validation of ARCO rights requests, strengthening legal certainty and the effective protection of the data subjects.

Authored by Guillermo Larrea, Ana Rumualdo, and Victoria Villagómez.

Implications and recommendations

The amendments incorporated by the LFPDPPP of 2025 represent a comprehensive transformation in the personal data protection regime. These reforms not only strengthen the rights of data subjects, but also considerably raise the obligations of data controllers and processors. The law imposes higher standards of legality, transparency, security and proactive responsibility. In this context, companies will need to take immediate steps to align their operations with the new regulatory framework.

First, it is essential that each organization performs a comprehensive audit of the data sources it uses, in order to identify those that do not comply with the new legal definition and could represent a legal risk. Simultaneously, contracts with suppliers and business partners should be reviewed and updated, precisely delimiting the roles of data controller and data processor in accordance with the updated definition of the law.

Additionally, companies should review and update all Privacy Notices, both in their comprehensive and simplified versions, incorporating the new mandatory elements and eliminating those that are no longer required. Although it is no longer mandatory to report on data transfers, it is recommended to maintain such information to promote transparency and align with international frameworks such as the European GDPR.

Regarding consent, companies should clearly identify which processing operations can be carried out without requiring express authorization, ensuring that there is support in a valid legal provision. This implies active monitoring of new regulations and criteria issued by regulatory authorities.

Another central aspect will be the establishment of clear policies on data retention and deletion, with defined deadlines and effective blocking processes. This requirement must be duly documented and supported by adequate technical procedures.

The enhanced confidentiality obligation will require the signing of agreements with all those involved in data processing, as well as the implementation of access control mechanisms, ongoing training, and internal audits to ensure compliance.

Finally, companies must adapt the procedures for handling ARCO requests, ensuring that the formal requirements are met and that the responses include detailed information on the processing. The company must guarantee that data subjects have easy access to their data and to the mechanisms for exercising their rights, including specific measures for dealing with requests related to automated decisions or artificial intelligence.